<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Shortcut - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/shortcut/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/shortcut/feed.xml" rel="self" type="application/rss+xml"/><item><title>Suspicious LNK File Creation in Temporary Directories</title><link>https://feed.craftedsignal.io/briefs/2024-01-lnk-creation/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-lnk-creation/</guid><description>Detection of processes creating .lnk files in suspicious locations like user directories or temporary folders, often indicative of spear phishing or malware persistence mechanisms.</description><content:encoded><![CDATA[<p>This threat brief focuses on detecting the creation of <code>.lnk</code> (shortcut) files in suspicious directories on Windows systems. Attackers frequently use this technique to establish persistence or execute malicious payloads disguised as legitimate shortcuts. The creation of <code>.lnk</code> files in locations like <code>C:\Users\*</code>, <code>*\AppData\Local\Temp\*</code>, <code>*\Temp\*</code>, and <code>*\Windows\Temp\*</code> is flagged as anomalous behavior, particularly when originating from unexpected processes. These shortcuts can be delivered via spear phishing attachments or created post-compromise to ensure continued access to the system. Defenders should prioritize monitoring for this activity, as it can lead to arbitrary code execution and further system compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> The attacker gains initial access, likely via spear phishing (T1566.002), delivering a malicious document or executable.</li>
<li><strong>Payload Delivery:</strong> The malicious document or executable drops a secondary payload onto the system.</li>
<li><strong>LNK File Creation:</strong> The dropped payload creates a <code>.lnk</code> file in a suspicious directory such as <code>C:\Users\&lt;username&gt;\AppData\Local\Temp\</code>.</li>
<li><strong>Shortcut Configuration:</strong> The <code>.lnk</code> file is configured to execute a malicious command or script, potentially using PowerShell or cmd.exe.</li>
<li><strong>Persistence:</strong> The <code>.lnk</code> file is designed to automatically execute upon user interaction (e.g., double-clicking the shortcut) or system startup.</li>
<li><strong>Code Execution:</strong> When the user clicks the <code>.lnk</code> file, the embedded command executes, initiating further malicious activity.</li>
<li><strong>Privilege Escalation (Optional):</strong> The attacker might attempt to escalate privileges using exploits or other techniques.</li>
<li><strong>Lateral Movement (Optional):</strong> The attacker expands their reach by moving laterally to other systems on the network.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation via malicious <code>.lnk</code> files can lead to significant damage, including unauthorized access to sensitive data, installation of malware, and complete system compromise. Organizations in all sectors are potentially vulnerable. The consequences of a successful attack include data theft, financial loss, reputational damage, and disruption of business operations.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Sysmon Event ID 11 to monitor file creation events, specifically focusing on <code>.lnk</code> files (data_source).</li>
<li>Deploy the provided Sigma rule <code>Suspicious LNK File Creation</code> to detect the creation of <code>.lnk</code> files in suspicious locations (rules).</li>
<li>Investigate any alerts generated by the Sigma rule <code>Suspicious LNK File Creation</code> to determine the legitimacy of the <code>.lnk</code> file creation (rules).</li>
<li>Review and tune the exclusion list in the provided Sigma rule based on your organization's environment and software configurations (rules).</li>
<li>Educate users on the risks associated with opening untrusted <code>.lnk</code> files and attachments, especially those found in temporary directories (references).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>lnk</category><category>shortcut</category><category>persistence</category><category>phishing</category><category>windows</category></item></channel></rss>